diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-17 04:31:11 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-17 04:31:11 +0000 |
| commit | 91f4ee60a964065867404c19d0634fcf9fe85b21 (patch) | |
| tree | c8af2e8574849f7748ec0b1f64064185e1bd11a7 /sys/kern | |
| parent | be95bf53491d0ea8de2513b8257d3b5b9072fbec (diff) | |
Add pledge "id" support. This request permits setuid/seteuid/setresuid,
setgid/setegid/setresgid, setgroups, setlogin, and setpriority.
setrlimit and getpriority are also allowed (they are also in "proc")
some of these were previously permitted in "proc" but have been removed.
this seperation is intentional. "proc" is intended for reasoning about
the relationship of a process "with other processes", whereas "id" deals
the powerful/dangerous concept of unix ids. "id" will see some action
very soon.
ok gilles tedu semarie doug
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_pledge.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index 1a5bdd192a6..8e054abd04b 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.41 2015/10/17 00:58:50 jca Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.42 2015/10/17 04:31:10 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -147,16 +147,24 @@ const u_int pledge_syscalls[SYS_MAXSYSCALL] = { [SYS_fork] = PLEDGE_PROC, [SYS_vfork] = PLEDGE_PROC, - [SYS_kill] = PLEDGE_SELF | PLEDGE_PROC, [SYS_setpgid] = PLEDGE_PROC, [SYS_setsid] = PLEDGE_PROC, - [SYS_setrlimit] = PLEDGE_PROC, + [SYS_kill] = PLEDGE_SELF | PLEDGE_PROC, - [SYS_execve] = PLEDGE_EXEC, + [SYS_setrlimit] = PLEDGE_PROC | PLEDGE_ID, + [SYS_getpriority] = PLEDGE_PROC | PLEDGE_ID, - [SYS_setgroups] = PLEDGE_PROC, - [SYS_setresgid] = PLEDGE_PROC, - [SYS_setresuid] = PLEDGE_PROC, + [SYS_setuid] = PLEDGE_ID, + [SYS_seteuid] = PLEDGE_ID, + [SYS_setresuid] = PLEDGE_ID, + [SYS_setgid] = PLEDGE_ID, + [SYS_setegid] = PLEDGE_ID, + [SYS_setresgid] = PLEDGE_ID, + [SYS_setgroups] = PLEDGE_ID, + [SYS_setlogin] = PLEDGE_ID, + [SYS_setpriority] = PLEDGE_ID, + + [SYS_execve] = PLEDGE_EXEC, /* FIONREAD/FIONBIO, plus further checks in pledge_ioctl_check() */ [SYS_ioctl] = PLEDGE_RW | PLEDGE_IOCTL | PLEDGE_TTY, @@ -249,6 +257,7 @@ static const struct { { "sendfd", PLEDGE_RW | PLEDGE_SENDFD }, { "recvfd", PLEDGE_RW | PLEDGE_RECVFD }, { "ioctl", PLEDGE_IOCTL }, + { "id", PLEDGE_ID }, { "route", PLEDGE_ROUTE }, { "mcast", PLEDGE_MCAST }, { "tty", PLEDGE_TTY }, |